Best Wordpress Security Plugin

These sorts of things are best handled through a layered approach, using a host that provides specialist WordPress tools (eg: Plesk hosting with WordPress Toolkit) along with security tools such as Immunify360 or similar to block and scan for attacks so that you stay informed, combine this with WordFence or Sucuri plugins and you are on the way to helping keep your site safe.
You must keep WordPress and all plugins updated else it doesn't matter how good your scanning is you will still get popped.

Plesk's WordPress Toolkit for example does the following security improvements to WordPress sites
Forbid's execution of PHP scripts in the wp-includes directory
Forbid's execution of PHP scripts in the wp-content/uploads directory
Disable's scripts concatenation for WordPress admin panel
Turns off pingbacks
Enables hotlink protection
Disables file editing in WordPress Dashboard
Enables bot protection
Blocks access to potentially sensitive files
Blocks access to .htaccess and .htpasswd
Blocks author scans
Restricts access to files and directories
Configures random security keys
Blocks directory browsing
Blocks unauthorized access to wp-config.php
Disables unused scripting languages
Disables PHP execution in cache directories
Changes the default database table prefix
Blocks access to sensitive files
Changes the default administrator's username